Monday, September 22, 2014

Outlook 2010 and Exchange 2013 Users Prompted for Authentication

Over the past months I have had customers complain about Outlook 2010 users getting prompted for username/password when moving to Exchange 2013. In previous versions of Exchange server such as 2003, 2007 and 2010, users connected to the Exchange server using RPC or Outlook Anywhere. Exchange connectivity for clients has changed significantly in Exchange 2013 and now only Outlook Anywhere is supported, with the Exception of MAPI over HTTP for Exchange 2013 SP1 only when using Outlook 2013 SP1 clients.

The following table summaries the connection methods available for the various versions of Outlook and Exchange Server.

The default method of Outlook connecting to the Exchange server has always been to use RPC for internal connections and Outlook Anywhere for external connections. As Outlook Anywhere was originally only designed to be used for external connections, the Autodiscover service in Exchange 2007 and 2010 only provided Outlook clients with one set of configuration parameters used for external connectivity.

The screenshot below displays the configuration output from Outlook Anywhere on a Exchange 2010 client access server. Notice there is only one External Hostname for connectivity and one Client Authentication Method you can specify.

In Exchange 2013 we now have the ability to specify different hostnames and authentication methods based on if the client is internal or external.

The authentication type is very important:

NTLM Authentication will leverage the credentials you used when signing into Windows and result in the Outlook client automatically signing in without prompting for authentication.

Basic Authentication is clear text authentication which does not use your Windows credentials. As long as the Basic Authentication is encapsulated within Secure Socket Layer will it be secure.

As a general rule of thumb you want to use Basic Authentication for external connections and NTLM Authentication for internal connections. You can use NTLM externally as well however I have had issues with it passing through some firewalls and proxy servers on remote networks so I advise my customers to always use Basic Authentication for maximum supportability for remote connections.

Here is where things get a little tricky. Outlook 2010 RTM only understands the External Autodiscover response for Outlook Anywhere, not the Internal response. This is shown in the screenshot below, notice the Server address is my ExternalURL and the Authentication is Basic.

This means provided you have split DNS in place for the External FQDN used for connectivity "mail.company.com", your clients will connect but with Basic Authentication. This will result in the Outlook clients being prompted for authentication.

As of Outlook 2010 SP1 and higher it supports the Internal and External Autodiscover response for Outlook Anywhere which I have displayed below in two screenshots as I needed to scroll down in the Test E-mail AutoConfiguration screen:

Note: I went straight to Outlook 2010 SP2 in the screenshot below.

To ensure Outlook clients are not prompted for Authentication, ensure they are set to use NTLM authentication. If Outlook 2010 clients have not been service packed, they will always receive the External authentication method.